Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/08/2024, 12:27

General

  • Target

    961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe

  • Size

    435KB

  • MD5

    961954bbc411d4eafd72efad94a6e160

  • SHA1

    0a0e1830d6b2a169527fe61b9111b4171cc5a01f

  • SHA256

    bcd74869fed12192e15d27254f6736621a82fbdcb555f7a258d0f2fa99eed36e

  • SHA512

    c70698005bd0974ace29ad991b3dd3cae82809a088ba6b090e1b2786bf72f87e5a87493aadab7d0adf4e2929bf7d0edc903154a590f15439543f45af1ad22cdb

  • SSDEEP

    12288:ji8ssa1TX35mrEe0zfGr7c1+GHjcSczuhE:ji8sjTZmrEesbMGDSzu2

Malware Config

Signatures

  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
    1⤵
    • Executes dropped EXE
    • Suspicious use of UnmapMainImage
    PID:388
  • C:\Users\Admin\AppData\Local\Temp\961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Roaming\tmp88F7.tmp", Install C:\Users\Admin\AppData\Local\Temp\961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4920
  • C:\Windows\system32\WerFault.exe
    "C:\Windows\system32\WerFault.exe" -k -lc NDIS NDIS-20240814-1228.dmp
    1⤵
      PID:2772

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\tmp88F6.tmp

      Filesize

      577KB

      MD5

      56ba53de2646c5260d6bbe7c2006d275

      SHA1

      0449eba1d5b0f8b5ef5737429c1b349ff19cfddb

      SHA256

      e824123c7536555ec609aef31ddefc6ae084db686be7622ecf302390ad2eba5b

      SHA512

      4fec07c24beef58d8569e5053c55f13ff8b93326310ae1bea714763919bdb3e1988d82d0554739c3c0f36b5b86b24279dfd6d046f00bcdbd5724410cbeed35c9

    • C:\Users\Admin\AppData\Roaming\tmp88F7.tmp

      Filesize

      59KB

      MD5

      b1fb36e272f1ae7aacc6763500ee92a5

      SHA1

      0805ff1ee4618480db415fde38a24a046acdbab4

      SHA256

      0685506aadd8601ec782d017db4313e04d24148c8d6b17eb243a14be072f0d75

      SHA512

      d75e7feeb50d5e42a356e55ed83adda4a6ec0f50204db8429dd103daa8e16b37d7234674dd3b294336c44acbbf61c5bfba2043a0c865528c2b51639e87a5ecfa

    • memory/388-26-0x00007FFB79530000-0x00007FFB79540000-memory.dmp

      Filesize

      64KB

    • memory/388-27-0x00007FFB79530000-0x00007FFB79540000-memory.dmp

      Filesize

      64KB

    • memory/388-25-0x00007FFB79530000-0x00007FFB79540000-memory.dmp

      Filesize

      64KB

    • memory/388-18-0x000001E0DA4B0000-0x000001E0DA4CC000-memory.dmp

      Filesize

      112KB

    • memory/388-28-0x000001E0DA4D0000-0x000001E0DA54B000-memory.dmp

      Filesize

      492KB

    • memory/4920-6-0x0000000180000000-0x0000000180096000-memory.dmp

      Filesize

      600KB